Re: [Freeipa-devel] [PATCH] 1019 require policycoreutils if SELinux is enabled
On 05/23/2012 08:03 PM, Rob Crittenden wrote: Petr Viktorin wrote: On 2012-05-18 17:53, Rob Crittenden wrote: We don't have an explicit requires on the policycoreutils package in the client because SELinux is not required (just recommended). SELinux can be enabled without this package so check for that condition and don't allow installation if it is the case. The resulting install will be rather broken. Also check on the server when installing. This should never happen but in theory it could do the server install then fail in the client because of this. rob All other platform-dependent services have a default defined in ipapython/services.py.in. Shouldn't check_selinux_status have one, too? Yes, you're right, I forgot to add that. Patch updated. rob Unfortunately, the patch doesn't apply. I also found a comment typo in ipapython/platform/redhat.py ipapython/platform/fedora.py: +# Everything else is made available through these symbols when they directly +# imported into ipapython.services: s/they directly/they are directly/ -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 133 Action list for user password
Just for record: this patch is replaced by my patches 141, 142 (sent to list on May 24). On 05/14/2012 07:12 PM, Endi Sukma Dewata wrote: On 5/3/2012 3:59 AM, Petr Vobornik wrote: Currently the user password is shown as follows in the details page: Password: Reset Password This is inconsistent with the rest of the page because the 'Reset Password' is an action, not the value of the password. Now password is shown as follows: Password: *** (if set) Password: (if not set) Reset password action was moved to Action List. https://fedorahosted.org/freeipa/ticket/2248 Note: I will address enabling/disabling 'reset password' option in action list in ticket #2318. Just for the record: On 5/11/2012 11:36 AM, Petr Vobornik wrote: On 05/08/2012 01:47 AM, Endi Sukma Dewata wrote: 10. The 'Action List' in ticket #2248 for the password reset is actually different than the action list for Enable/Disable. I was proposing to create a small panel under the 'Account Settings' section, probably something like this: --- Account Settings +-+ User login: admin | Actions: | Password: | Reset password | Password expiration: +-+ UID: GID: This panel might better be called 'Action Panel' to distinguish from the dropdown 'Action List' on the top. The reason for this panel is that a Password Reset only affects an aspect of the user, not the entire object like Enable/Disable (although that can also be argued differently), so the action should be placed where it's relevant, in this case near the Password field. The same concept will be used for ticket #2250, #2251, #2252. I'll consider my patch #133 NACKed and first create the action panels. -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 146 Added cancel button to service unprovision dialog
Service unprovision dialog was missing a cancel button. The button was added. https://fedorahosted.org/freeipa/ticket/1811 -- Petr Vobornik From ce7d399b295cebc1477b2590102cf42089dadb2a Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Mon, 14 May 2012 08:40:41 +0200 Subject: [PATCH] Added cancel button to service unprovision dialog Service unprovision dialog was missing a cancel button. The button was added. https://fedorahosted.org/freeipa/ticket/1811 --- install/ui/service.js |8 1 files changed, 8 insertions(+), 0 deletions(-) diff --git a/install/ui/service.js b/install/ui/service.js index c86a6d05daa1d44dbff379bb85241182371464cb..129f166a3d11338522c2eb95ede7d51280382aa5 100644 --- a/install/ui/service.js +++ b/install/ui/service.js @@ -314,6 +314,14 @@ IPA.service_provisioning_status_widget = function (spec) { } }); +dialog.create_button({ +name: 'cancel', +label: IPA.messages.buttons.cancel, +click: function() { +dialog.close(); +} +}); + dialog.open(that.container); return false; -- 1.7.7.6 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 260 Replace DNS client based on acutil with python-dns
On 05/23/2012 02:30 PM, Martin Kosek wrote: On Wed, 2012-05-23 at 14:24 +0200, Martin Kosek wrote: On Tue, 2012-05-22 at 14:41 +0200, Petr Viktorin wrote: On 05/16/2012 09:44 AM, Martin Kosek wrote: On Tue, 2012-05-15 at 14:02 +0200, Petr Viktorin wrote: On 05/11/2012 06:52 PM, Martin Kosek wrote: python-dns is very feature-rich and it can help us a lot with our DNS related code. This patch does the first step, i.e. replaces acutil use with python-dns, which is more convenient to use as you will see in the patch. More integration will follow in the future. I send this patch rather early, so that I can get responses to this patch early and also so that we are able to catch issues in a safe distance from the next release. --- IPA client and server tool set used authconfig acutil module to for client DNS operations. This is not optimal DNS interface for several reasons: - does not provide native Python object oriented interface but but rather C-like interface based on functions and structures which is not easy to use and extend - acutil is not meant to be used by third parties besides authconfig and thus can break without notice Replace the acutil with python-dns package which has a feature rich interface for dealing with all different aspects of DNS including DNSSEC. The main target of this patch is to replace all uses of acutil DNS library with a use python-dns. In most cases, even though the larger parts of the code are changed, the actual functionality is changed only in the following cases: - redundant DNS checks were removed from verify_fqdn function in installutils to make the whole DNS check simpler and less error-prone. Logging was improves for the remaining checks - improved logging for ipa-client-install DNS discovery https://fedorahosted.org/freeipa/ticket/2730 [...] Fixed. Martin I've been testing the patches in various setups and haven't found a regression so far. ACK on 261, for 260 I have a comment below. diff --git a/ipa-client/ipaclient/ipadiscovery.py b/ipa-client/ipaclient/ipadiscovery.py index 86bef28b2d7fdfc8111b493bddec7ac6888f021a..1889d1918c01fe0c80a3d56b9a7ef304c5a7d97c 100644 --- a/ipa-client/ipaclient/ipadiscovery.py +++ b/ipa-client/ipaclient/ipadiscovery.py @@ -310,84 +313,74 @@ class IPADiscovery: os.rmdir(temp_ca_dir) -def ipadnssearchldap(self, tdomain): -servers = -rserver = +def ipadns_search_srv(self, domain, srv_record_name, default_port, + get_first=True): + +Search for SRV records in given domain. When no record is found, +en empty string is returned -qname = _ldap._tcp.+tdomain -# terminate the name -if not qname.endswith(.): -qname += . -results = ipapython.dnsclient.query(qname, ipapython.dnsclient.DNS_C_IN, ipapython.dnsclient.DNS_T_SRV) +:param domain: Search domain name +:param srv_record_name: SRV record name, e.g. _ldap._tcp +:param default_port: When default_port is not None, it is being +checked with the port in SRV record and if they don't +match, the port from SRV record is appended to +found hostname in this format: hostname:port +:param get_first: break on first find, otherwise multiple finds +separated by : may be returned They are separated by ,. In the calling code, for splitting a comma-separated string it is better to use servers.split(',') than ipautil.parse_items(servers). Or, return a list directly from here. I did not want to get too intrusive with the patch, but I took your advice and rather return now a list of servers - its more effective than to returning a comma-joined list and then splitting it back to standard list :-) That made parse_items function redundant. Good riddance. Martin I forgot to include a change in the spec file - authconfig should be no longer needed for build. Martin I tested several installs and couldn't find a regression. ACK. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 260 Replace DNS client based on acutil with python-dns
On Thu, 2012-05-24 at 13:53 +0200, Petr Viktorin wrote: On 05/23/2012 02:30 PM, Martin Kosek wrote: On Wed, 2012-05-23 at 14:24 +0200, Martin Kosek wrote: On Tue, 2012-05-22 at 14:41 +0200, Petr Viktorin wrote: On 05/16/2012 09:44 AM, Martin Kosek wrote: On Tue, 2012-05-15 at 14:02 +0200, Petr Viktorin wrote: On 05/11/2012 06:52 PM, Martin Kosek wrote: python-dns is very feature-rich and it can help us a lot with our DNS related code. This patch does the first step, i.e. replaces acutil use with python-dns, which is more convenient to use as you will see in the patch. More integration will follow in the future. I send this patch rather early, so that I can get responses to this patch early and also so that we are able to catch issues in a safe distance from the next release. --- IPA client and server tool set used authconfig acutil module to for client DNS operations. This is not optimal DNS interface for several reasons: - does not provide native Python object oriented interface but but rather C-like interface based on functions and structures which is not easy to use and extend - acutil is not meant to be used by third parties besides authconfig and thus can break without notice Replace the acutil with python-dns package which has a feature rich interface for dealing with all different aspects of DNS including DNSSEC. The main target of this patch is to replace all uses of acutil DNS library with a use python-dns. In most cases, even though the larger parts of the code are changed, the actual functionality is changed only in the following cases: - redundant DNS checks were removed from verify_fqdn function in installutils to make the whole DNS check simpler and less error-prone. Logging was improves for the remaining checks - improved logging for ipa-client-install DNS discovery https://fedorahosted.org/freeipa/ticket/2730 [...] Fixed. Martin I've been testing the patches in various setups and haven't found a regression so far. ACK on 261, for 260 I have a comment below. diff --git a/ipa-client/ipaclient/ipadiscovery.py b/ipa-client/ipaclient/ipadiscovery.py index 86bef28b2d7fdfc8111b493bddec7ac6888f021a..1889d1918c01fe0c80a3d56b9a7ef304c5a7d97c 100644 --- a/ipa-client/ipaclient/ipadiscovery.py +++ b/ipa-client/ipaclient/ipadiscovery.py @@ -310,84 +313,74 @@ class IPADiscovery: os.rmdir(temp_ca_dir) -def ipadnssearchldap(self, tdomain): -servers = -rserver = +def ipadns_search_srv(self, domain, srv_record_name, default_port, + get_first=True): + +Search for SRV records in given domain. When no record is found, +en empty string is returned -qname = _ldap._tcp.+tdomain -# terminate the name -if not qname.endswith(.): -qname += . -results = ipapython.dnsclient.query(qname, ipapython.dnsclient.DNS_C_IN, ipapython.dnsclient.DNS_T_SRV) +:param domain: Search domain name +:param srv_record_name: SRV record name, e.g. _ldap._tcp +:param default_port: When default_port is not None, it is being +checked with the port in SRV record and if they don't +match, the port from SRV record is appended to +found hostname in this format: hostname:port +:param get_first: break on first find, otherwise multiple finds +separated by : may be returned They are separated by ,. In the calling code, for splitting a comma-separated string it is better to use servers.split(',') than ipautil.parse_items(servers). Or, return a list directly from here. I did not want to get too intrusive with the patch, but I took your advice and rather return now a list of servers - its more effective than to returning a comma-joined list and then splitting it back to standard list :-) That made parse_items function redundant. Good riddance. Martin I forgot to include a change in the spec file - authconfig should be no longer needed for build. Martin I tested several installs and couldn't find a regression. ACK. Thanks, pushed both to master. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1014 configurable service timeout
On 05/18/2012 10:03 PM, Rob Crittenden wrote: Rob Crittenden wrote: A hardcoded timeout was used in ipactl for service restarts, set rather low. A separate timeout was hardcoded into the installer. I centralized them into a single timeout, configurable in the standard way in /etc/ipa/*.conf. On install it will always default to 120 seconds and remain there unless changed in default.conf (not replicated either). I tested this on systemd systems and sysV systems and it works ok for me. You'll also want to double-check that this works when other 389-ds instances are installed. Getting the naming of instances right was a bit tricky. Noticed a problem on upgrades and fixed that. Updated patch attached. rob Please rebase the patch onto current master. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1014 configurable service timeout
Petr Viktorin wrote: On 05/18/2012 10:03 PM, Rob Crittenden wrote: Rob Crittenden wrote: A hardcoded timeout was used in ipactl for service restarts, set rather low. A separate timeout was hardcoded into the installer. I centralized them into a single timeout, configurable in the standard way in /etc/ipa/*.conf. On install it will always default to 120 seconds and remain there unless changed in default.conf (not replicated either). I tested this on systemd systems and sysV systems and it works ok for me. You'll also want to double-check that this works when other 389-ds instances are installed. Getting the naming of instances right was a bit tricky. Noticed a problem on upgrades and fixed that. Updated patch attached. rob Please rebase the patch onto current master. Done From 48a82f72418430a9898214214a3f00bb9071c58c Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Thu, 24 May 2012 11:23:36 -0400 Subject: [PATCH] Centralize timeout for waiting for servers to start. All service start/restart currently go through ipapython/platform so move the wait for service to start code there as well. A dictionary of known services and ports to wait on is defined in base.py This is referenced by the platforms by instance name to determine what to wait for. For the case of dirsrv if we get that as a plain name (no specific instance) it is assumed to be the main IPA service. https://fedorahosted.org/freeipa/ticket/2375 --- install/tools/ipactl | 22 +++- ipalib/constants.py |2 ++ ipapython/ipautil.py | 54 ipapython/platform/base.py| 56 ++--- ipapython/platform/fedora16.py|4 +-- ipapython/platform/redhat.py | 22 ++-- ipapython/platform/systemd.py | 23 ++-- ipaserver/install/cainstance.py |1 - ipaserver/install/dsinstance.py |3 +- ipaserver/install/installutils.py | 52 --- ipaserver/install/plugins/updateclient.py |4 +-- ipaserver/install/replication.py |3 +- ipaserver/install/service.py | 10 +++--- ipaserver/install/upgradeinstance.py |5 +++ ipaserver/ipaldap.py |7 ++-- 15 files changed, 166 insertions(+), 102 deletions(-) diff --git a/install/tools/ipactl b/install/tools/ipactl index 74ee383047618ac3053d61d40a8eb13e27f7fc78..c1d5360a5e504afbbd27dfa3e8b8f11a00910a33 100755 --- a/install/tools/ipactl +++ b/install/tools/ipactl @@ -24,7 +24,8 @@ try: from ipaserver.install import service from ipapython import services as ipaservices from ipaserver.install.dsinstance import config_dirname, realm_to_serverid -from ipaserver.install.installutils import is_ipa_configured, wait_for_open_ports, wait_for_open_socket +from ipaserver.install.installutils import is_ipa_configured +from ipapython.ipautil import wait_for_open_ports, wait_for_open_socket from ipapython import sysrestore from ipapython import config from ipalib import api, errors @@ -110,11 +111,14 @@ def parse_options(): def emit_err(err): sys.stderr.write(err + '\n') -def get_config(): +def get_config(dirsrv): base = cn=%s,cn=masters,cn=ipa,cn=etc,%s % (api.env.host, api.env.basedn) srcfilter = '(ipaConfigString=enabledService)' attrs = ['cn', 'ipaConfigString'] +if not dirsrv.is_running(): +raise IpactlError(Failed to get list of services to probe status:\n + + Directory Server is stopped, 3) try: # systemd services are so fast that we come here before @@ -122,10 +126,10 @@ def get_config(): # the socket/port be really available. lurl = ldapurl.LDAPUrl(api.env.ldap_uri) if lurl.urlscheme == 'ldapi': -wait_for_open_socket(lurl.hostport, timeout=6) +wait_for_open_socket(lurl.hostport, timeout=api.env.startup_timeout) else: (host,port) = lurl.hostport.split(':') -wait_for_open_ports(host, [int(port)], timeout=6) +wait_for_open_ports(host, [int(port)], timeout=api.env.startup_timeout) con = ldap.initialize(api.env.ldap_uri) con.sasl_interactive_bind_s('', SASL_EXTERNAL) res = con.search_st(base, @@ -180,7 +184,7 @@ def ipa_start(options): svc_list = [] try: -svc_list = get_config() +svc_list = get_config(dirsrv) except Exception, e: emit_err(Failed to read data from Directory Service: + str(e)) emit_err(Shutting down) @@ -224,14 +228,14 @@ def ipa_stop(options): dirsrv = ipaservices.knownservices.dirsrv svc_list = [] try: -svc_list = get_config() +svc_list = get_config(dirsrv) except Exception, e:
Re: [Freeipa-devel] [PATCH] 1019 require policycoreutils if SELinux is enabled
Petr Viktorin wrote: On 05/23/2012 08:03 PM, Rob Crittenden wrote: Petr Viktorin wrote: On 2012-05-18 17:53, Rob Crittenden wrote: We don't have an explicit requires on the policycoreutils package in the client because SELinux is not required (just recommended). SELinux can be enabled without this package so check for that condition and don't allow installation if it is the case. The resulting install will be rather broken. Also check on the server when installing. This should never happen but in theory it could do the server install then fail in the client because of this. rob All other platform-dependent services have a default defined in ipapython/services.py.in. Shouldn't check_selinux_status have one, too? Yes, you're right, I forgot to add that. Patch updated. rob Unfortunately, the patch doesn't apply. I also found a comment typo in ipapython/platform/redhat.py ipapython/platform/fedora.py: +# Everything else is made available through these symbols when they directly +# imported into ipapython.services: s/they directly/they are directly/ Fixed and rebased. This requires patch 1014 to apply. rob From cf6a3689f72e7387ea69732b8cba2c07f74f1ca7 Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Thu, 24 May 2012 11:24:12 -0400 Subject: [PATCH] If SELinux is enabled ensure we also have /sbin/restorecon. We don't have a specific requires on the policycoreutils package. It gets pulled in as a dependency on the server anyway, but checking there is like a belt and suspenders. On the client we don't require SELinux at all. If SELinux is enabled however we need /sbin/restorecon to set things up properly. This is provided by the policycoreutils package so fail if that isn't available. https://fedorahosted.org/freeipa/ticket/2368 --- install/tools/ipa-replica-install |1 + install/tools/ipa-server-install |2 ++ ipa-client/ipa-install/ipa-client-install |1 + ipapython/platform/fedora16.py| 23 ++- ipapython/platform/redhat.py | 46 - ipapython/services.py.in | 14 ++--- 6 files changed, 69 insertions(+), 18 deletions(-) diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index 7cfe7627e2d0b85d3584ab757c3ca5b78c51b801..f0c67e008a3c3ba5a934594f3c6100113f93ff43 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -276,6 +276,7 @@ def check_bind(): sys.exit(1) def main(): +ipaservices.check_selinux_status() safe_options, options, filename = parse_options() standard_logging_setup(/var/log/ipareplica-install.log, debug=options.debug) root_logger.debug('%s was invoked with argument %s and options: %s' % (sys.argv[0], filename, safe_options)) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 2f06a9e879902eb1c2ac340757fcd1762959fe30..e7b82364a550bfbc2f818b5e6f353715237a9769 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -539,6 +539,8 @@ def main(): if os.getegid() != 0: sys.exit(Must be root to set up server) +ipaservices.check_selinux_status() + signal.signal(signal.SIGTERM, signal_handler) signal.signal(signal.SIGINT, signal_handler) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 6854581d205d628f9110f71283bffab476f7b115..3be7d8d63e34a389d34172993f60e6f338da4a9c 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -1535,6 +1535,7 @@ def main(): if not os.getegid() == 0: sys.exit(\nYou must be root to run ipa-client-install.\n) +ipaservices.check_selinux_status() logging_setup(options) root_logger.debug('%s was invoked with options: %s' % (sys.argv[0], safe_options)) root_logger.debug(missing options might be asked for interactively later\n) diff --git a/ipapython/platform/fedora16.py b/ipapython/platform/fedora16.py index 4b662b3b86d4af9f39bae1dcf6268668da5c9013..2000a4ad230b0fbe44aa80efeec6880831a52fac 100644 --- a/ipapython/platform/fedora16.py +++ b/ipapython/platform/fedora16.py @@ -22,13 +22,21 @@ from ipapython.platform import base, redhat, systemd import os # All what we allow exporting directly from this module -# Everything else is made available through these symbols when they directly imported into ipapython.services: -# authconfig -- class reference for platform-specific implementation of authconfig(8) -# service-- class reference for platform-specific implementation of a PlatformService class -# knownservices -- factory instance to access named services IPA cares about, names are ipapython.services.wellknownservices -# backup_and_replace_hostname -- platform-specific way to set hostname and make it persistent over reboots -# restore_context -- platform-sepcific way to restore
[Freeipa-devel] dns.py question
In dns_is_enabled it computes the base_dn but never uses it. Instead it uses self.base_dn, but as far as I can figure out there is no self.base_dn in the class hierarchy (if so could you point me at it). The access to self.base_dn is wrapped in a try/except block that doesn't handle any errors so if in fact there was no self.base_dn that error would be silently ignored. So is self.base_dn a typo and we're supposed to be using the local base_dn that's computed but never used? Code snipped attached so it won't be mangled by line wrapping. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ class dns_is_enabled(Command): Checks if any of the servers has the DNS service enabled. NO_CLI = True has_output = output.standard_value base_dn = 'cn=masters,cn=ipa,cn=etc,%s' % api.env.basedn filter = '((objectClass=ipaConfigObject)(cn=DNS))' def execute(self, *args, **options): ldap = self.api.Backend.ldap2 dns_enabled = False try: ent = ldap.find_entries(filter=self.filter, base_dn=self.base_dn) if len(ent): dns_enabled = True except Exception, e: pass return dict(result=dns_enabled, value=u'') ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] routing requests to local servers - DNS SRV [discussion needed]
Hello, some time ago there was a request for DNS to support routing requests to local servers. Any opinions if/when do it and proposals how to do it are more than welcome. My best knowledge about this problem follows: This request actually means differentiate answer to DNS query on client's IP address basics. Relevant thread on ipa-users-list: https://www.redhat.com/archives/freeipa-users/2012-April/msg00070.html First question is: Do we want to implement it? (IMHO it is very important for large-scale deployments.) It is related to IPA ticket #122 at architecture level: IPA DNS integration should support GeoIP https://fedorahosted.org/freeipa/ticket/122 IMHO it is better to support generic locations defined by user than real Geo-IP: - at least private IP addresses will be problematic - real Geo-IP database is huge and can slow all things down Bind-dyndb-ldap plugin supports BIND views already. It should be possible to define multiple plugin instances with different ldap search base and let it to serve records. The main problem problem is managing DNS subtree in LDAP. With current implementation you have to copy whole subtree to another place and then change necessary records. Problem is with maintaining base (non-overridden) records - you have to do same change n-times. Adam and I discussed possible approaches. We agreed on stackable approach: - Store whole original DNS tree in one subtree, let say base. - Create override subtrees for each locality = set of customized records. Shared records are only in base. During DNS query processing override subtree is searched first. If record does not exist in override subtree, search will continue in base subtree. Second question is how to realize these overrides: - Let Directory Server to do the work. If DS supports this, it is mostly done. It do not require any change in bind-dyndb-ldap code. All merges/overrides will be done on Directory server. Only /etc/named.conf has to be adjusted with right search base and view clause. I asked on 389 mailing list and I'm waiting for reply: http://lists.fedoraproject.org/pipermail/389-users/2012-May/014653.html - Another approach is to add support directly to bind-dyndb-ldap, but it is not so nice solution. In that case both LDAP search bases have to be defined in /etc/named.conf. For each DNS query is necessary to search override base first. If required record is not present then is necessary to search through base subtree. With persistent search it should be better, because all records are in memory, but basic principle remains same. Thanks for all opinions. Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 1022 normalize uid when in winsync
In case the uid that comes from AD is mixed-case we need to normalize it to all lower. It should be safe using tolower() because we only allow ASCII characters in uid. rob From dd4dc674921ef48a3cb49a0cfb1c2b6308749eb3 Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Thu, 24 May 2012 13:52:07 -0400 Subject: [PATCH] Normalize uid to lower case in winsync. This in effect fixes uid, krbPrincipalName and homeDir. https://fedorahosted.org/freeipa/ticket/2756 --- .../ipa-slapi-plugins/ipa-winsync/ipa-winsync.c| 33 +++- 1 file changed, 32 insertions(+), 1 deletion(-) diff --git a/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c b/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c index ef237e93ae00cc377b1dfbab567320c3942a328c..5d9e3cf948a621a91b7e9d89c41a92bfcedad5fe 100644 --- a/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c +++ b/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c @@ -61,6 +61,7 @@ #include string.h #include stdlib.h +#include ctype.h #include plstr.h static void @@ -82,6 +83,25 @@ do_force_sync( int *do_modify /* set to true if mods were applied */ ); +static char * +str_tolower(char *str) +{ +char *lstr, *t; + +lstr = strdup(str); +if (!lstr) { +/* the caller should log OOM if this returns NULL */ +return NULL; +} + +for (t = lstr; *t; t++) +if (isalpha(*t)) +*t = tolower(*t); + +return lstr; +} + + /* This is called when a new agreement is created or loaded at startup. */ @@ -278,11 +298,22 @@ ipa_winsync_pre_ds_add_user_cb(void *cbdata, const Slapi_Entry *rawentry, if (slapi_entry_attr_find(ds_entry, type, e_attr) || !e_attr) { char *upn = NULL; char *uid = NULL; +char *lower = NULL; char *samAccountName = NULL; /* if the ds_entry already has a uid, use that */ if ((uid = slapi_entry_attr_get_charptr(ds_entry, uid))) { -upn = slapi_ch_smprintf(%s@%s, uid, ipaconfig-realm_name); +lower = str_tolower(uid); +if (!lower) { +LOG_OOM(); +return; +} +/* Now reset UID to be lower-case */ slapi_ch_free_string(uid); +slapi_entry_attr_delete(ds_entry, uid); +slapi_entry_attr_set_charptr(ds_entry, uid, lower); +/* And create a normalized principal */ +upn = slapi_ch_smprintf(%s@%s, lower, ipaconfig-realm_name); +free(lower); /* otherwise, use the samAccountName from the ad_entry */ } else if ((samAccountName = slapi_entry_attr_get_charptr(ad_entry, samAccountName))) { -- 1.7.10.2 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] routing requests to local servers - DNS SRV [discussion needed]
On 05/24/2012 01:07 PM, Petr Spacek wrote: Hello, some time ago there was a request for DNS to support routing requests to local servers. Any opinions if/when do it and proposals how to do it are more than welcome. My best knowledge about this problem follows: This request actually means differentiate answer to DNS query on client's IP address basics. Relevant thread on ipa-users-list: https://www.redhat.com/archives/freeipa-users/2012-April/msg00070.html First question is: Do we want to implement it? (IMHO it is very important for large-scale deployments.) It is related to IPA ticket #122 at architecture level: IPA DNS integration should support GeoIP https://fedorahosted.org/freeipa/ticket/122 IMHO it is better to support generic locations defined by user than real Geo-IP: - at least private IP addresses will be problematic - real Geo-IP database is huge and can slow all things down Bind-dyndb-ldap plugin supports BIND views already. It should be possible to define multiple plugin instances with different ldap search base and let it to serve records. The main problem problem is managing DNS subtree in LDAP. With current implementation you have to copy whole subtree to another place and then change necessary records. Problem is with maintaining base (non-overridden) records - you have to do same change n-times. Adam and I discussed possible approaches. We agreed on stackable approach: - Store whole original DNS tree in one subtree, let say base. - Create override subtrees for each locality = set of customized records. Shared records are only in base. During DNS query processing override subtree is searched first. If record does not exist in override subtree, search will continue in base subtree. Second question is how to realize these overrides: - Let Directory Server to do the work. If DS supports this, it is mostly done. It do not require any change in bind-dyndb-ldap code. All merges/overrides will be done on Directory server. Only /etc/named.conf has to be adjusted with right search base and view clause. I asked on 389 mailing list and I'm waiting for reply: http://lists.fedoraproject.org/pipermail/389-users/2012-May/014653.html - Another approach is to add support directly to bind-dyndb-ldap, but it is not so nice solution. In that case both LDAP search bases have to be defined in /etc/named.conf. For each DNS query is necessary to search override base first. If required record is not present then is necessary to search through base subtree. With persistent search it should be better, because all records are in memory, but basic principle remains same. Thanks for all opinions. May be I am oversimplifying things but it seems that it would make sense to just have an extra multi-value attribute added to the DNS schema. This attribute would contain a value that would allow the entry to be included into the view. This way the base is the same and what the view exposes is just a filter. The default view would have a filter that matches all entries like now. I assume that DNS server makes it decision based on the IP so it has a call to get a view data. The ldap driver can return a filter. The DNS server them makes a call using this filter to get all the records that apply. I know it is too ldap centric. There is some abstraction in DNS server and we do not want to change it. But the point is there are probably two calls in the DNS server (have not actually confirmed): lookup data X by IP to understand what the view is. Pass data X to get the actual DNS entries. I am saying that X can be filter. Thoughts? Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel